
\newpage
\subsection{Scalar SHA-256 / SHA-512 Acceleration}
\label{sec:scalar:sha2}

\subsubsection{SHA-256 Instructions}

\begin{bytefield}[bitwidth={1.05em},endianness={big}]{32}
\bitheader{0-31} \\
\encshatwofivesixsigzero
\encshatwofivesixsigone
\encshatwofivesixsumzero
\encshatwofivesixsumone
\end{bytefield}

\begin{cryptoisa}
sha256sig0 rd, rs1
sha256sig1 rd, rs1
sha256sum0 rd, rs1
sha256sum1 rd, rs1
\end{cryptoisa}

The {\tt sha256.*}
instructions implement the four $\sigma$ and $\sum$ functions used in
the SHA256 hash function \cite[Section 4.1.2]{nist:fips:180:4}.
These operations are supported for both RV32 and RV64 base architectures.
For RV32, the entire XLEN source register is operated on.
For RV64, the low 32-bits of the XLEN register are read and operated on,
with the result {\em zero} extended to XLEN bits.
Though named for SHA256, the instructions work for both the
SHA-224 and SHA-256 parameterisations as described in
\cite{nist:fips:180:4}.
RISC-V Sail model code for each instruction is found in figure
\ref{fig:sail:sha256}.

\begin{figure}[h]
\lstinputlisting[language=sail,firstline=43,lastline=53]{../extern/sail-riscv/model/riscv_insts_kext.sail}
\caption{RISC-V Sail model specification for the scalar RV32/RV64 SHA256 instructions.}
\label{fig:sail:sha256}
\end{figure}

\subsubsection{SHA-512 Instructions}

\begin{bytefield}[bitwidth={1.05em},endianness={big}]{32}
\bitheader{0-31} \\
\encshafiveonetwosigzero
\encshafiveonetwosigone
\encshafiveonetwosumzero
\encshafiveonetwosumone
\end{bytefield}

\begin{bytefield}[bitwidth={1.05em},endianness={big}]{32}
\bitheader{0-31} \\
\encshafiveonetwosumzeror
\encshafiveonetwosumoner
\encshafiveonetwosigzerol
\encshafiveonetwosigzeroh
\encshafiveonetwosigonel
\encshafiveonetwosigoneh
\end{bytefield}

\begin{cryptoisa}
RV32:                                       RV64:
  sha512sum0r rd, rs1, rs2                    sha512sig0 rd, rs1
  sha512sum1r rd, rs1, rs2                    sha512sig1 rd, rs1
  sha512sig0l rd, rs1, rs2                    sha512sum0 rd, rs1
  sha512sig0h rd, rs1, rs2                    sha512sum1 rd, rs1
  sha512sig1l rd, rs1, rs2 
  sha512sig1h rd, rs1, rs2 
\end{cryptoisa}

The \mnemonic{sha512.*}
instructions implement the four $\sigma$ and $\sum$ functions used in
the SHA512 hash function \cite[Section 4.1.3]{nist:fips:180:4}.

The RV32 instructions work by concatenating the two 32-bit {\tt rs1} and
{\tt rs2} registers into a 64-bit word.
The high or low 32-bits of the full 64-bit function result are then
written to the destination register depending on the instruction.

For the \mnemonic{sha512sum*r} instructions, the operation is based
purely on rotations;
the high or low 32-bits of the result can be selected by swapping
the input source registers to the instruction.
For the \mnemonic{sha512sig*[l|h]} instructions, which include shifts,
the {\tt *l} instruction writes the {\em low} 32-bits of the $\sigma$
transform, and the {\tt *h} instruction writes the {\em high} 32-bits.

The RV64 instructions compute the entire $\sigma$ and $\sum$ functions
based on a single input register, and write the result to {\tt rd}.

Though named for the SHA-512 parameterisation, the instructions
can be used for all of the SHA-384, SHA-512, SHA-512/224 and SHA-512/256
parameterisations as described in \cite{nist:fips:180:4}.

RISC-V Sail model code for the RV32 and RV64 instructions can be found in
Figure \ref{fig:sail:sha512:rv32}
and
Figure \ref{fig:sail:sha512:rv64}
respectivley.

\note{
The remaining two core functions in the SHA256/512
algorithms are the $Ch$ and $Maj$ functions:
\begin{itemize}
\item \lstinline{Ch(x,y,z)  = z ^ (x & (y ^ z))}
\item \lstinline{Maj(x,y,z) = x ^ ((x ^ y) & (x ^ z))}
\end{itemize}
As ternary functions, they are much too expensive in terms of
opcode space to consider for inclusion as dedicated instructions for
such a specialist use-case.
}

\begin{figure}[h]
\lstinputlisting[language=sail,firstline=125,lastline=138]{../extern/sail-riscv/model/riscv_insts_kext_rv32.sail}
\caption{RISC-V Sail model specification for the scalar RV32 SHA512 instructions.}
\label{fig:sail:sha512:rv32}
\end{figure}

\begin{figure}[h]
\lstinputlisting[language=sail,firstline=158,lastline=168]{../extern/sail-riscv/model/riscv_insts_kext_rv64.sail}
\caption{RISC-V Sail model specification for the scalar RV64 SHA512 instructions.}
\label{fig:sail:sha512:rv64}
\end{figure}
